MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88b5ef0a08f3f2dc0a7dbae00627cbb4324d1f71405fc12eb9311cc84b8e0ea9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	88b5ef0a08f3f2dc0a7dbae00627cbb4324d1f71405fc12eb9311cc84b8e0ea9
SHA3-384 hash:	cf6b7b1bca73946f6937c5580a78c2d85386c12ac34ab25fbb38a065566c97cedf44c9411ce85b225200e600b48d12c4
SHA1 hash:	72a8c1624e4519bf1d23ea7167fdf4c03160dd36
MD5 hash:	f4c00629a54ae4db7a64a9bde86504e0
humanhash:	august-kitten-triple-emma
File name:	88b5ef0a08f3f2dc0a7dbae00627cbb4324d1f71405fc12eb9311cc84b8e0ea9
Download:	download sample
File size:	5'472'553 bytes
First seen:	2020-11-10 08:46:57 UTC
Last seen:	2024-07-24 18:29:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	227fe66ff6f22dec0266a5718d365ece (39 x CoinMiner, 1 x CobaltStrike, 1 x Berbew)
ssdeep	49152:ROdWCCi7/raS56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lv:RWWBibB56utgpPFotBER/mQ32lUD
Threatray	257 similar samples on MalwareBazaar
TLSH	A4465C41ED9B45F2EB8712308CB31E5F6333B2190335EAC3DA654A6FE5276E46B36241
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Trojan.Razy-7331645-0

Win.Trojan.Razy-7332867-0

Win.Trojan.Razy-7364523-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Launching the Android Debug Bridge process

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/88b5ef0a08f3f2dc0a7dbae00627cbb4324d1f71405fc12eb9311cc84b8e0ea9/

Threat name:

Win64.Trojan.CoinMiner

Status:

Malicious

First seen:

2020-11-10 08:49:08 UTC

AV detection:

36 of 48 (75.00%)

Threat level:

5/5

Verdict:

suspicious

0e1a67e3f9f273af8df4d73ca9faf02acd963117babed391f9a8caeb5c4e3fde

1e50a6169593f13f606adfe24a312a576653bdbb5688d7106a063c9a174d8b2d

22f52343a08d9df34006583847ac1d7fe29ed8c351fa8a3be9a57f11af747ea6

320b33dd8238469b367c6f2a381be0adabe277f9e209f24422cfef7f393a368a

7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8

8c7cb6899388a6a8508d50cb30d4b6f371ce72d54cbf28fd8acbf0e05a8bc2f4

da9648f3a908fa5c14386ee30570b3465ec26dde00bccd3555d5de74d49eec7b

ddf12627ac05a185047807aa961c819a0b9bf6949e01d3c18aa2f277e87bca85

e04dd6ecda2af82e6087b201788ef15011a410d4fd72b5a0b7971ac5e816811f

+ 247 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike backdoor trojan upx

Link:

https://tria.ge/reports/201110-j1h8yek7ke/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

JavaScript code in executable

Loads dropped DLL

Executes dropped EXE

UPX packed file

Cobalt Strike reflective loader

Cobaltstrike

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample